U.S. Says Ring Stole 160 Million Credit Card Numbers

Eduardo Munoz/ReutersUnited States Attorney Paul J. Fishman, left, on Thursday after announcing the indictments in a hacking and data breach case.

Updated, 8:40 p.m. | A prolific gang of foreign hackers stole and sold 160 million credit card numbers from more than a dozen companies, causing hundreds of millions of dollars in losses, federal prosecutors charged on Thursday in what they described as the largest hacking and data breach case in the country.

The scheme was run by four Russian nationals and a Ukrainian, said the United States attorney for the District of New Jersey, Paul J. Fishman, who announced the indictments in Newark.

Related Links

The victims in the scheme, which prosecutors said ran from 2005 until last year, included J. C. Penney; 7-Eleven; JetBlue; Heartland Payment Systems, one of the world’s largest credit and debit processing companies; and the French retailer Carrefour.

Separate indictments involving some of the same men, accusing them of computer attacks on Citibank, PNC Bank and the Nasdaq stock exchange, were filed by federal prosecutors in Manhattan.

Computer security experts said the scheme was notable for how long it lasted, how well coordinated it was and how it carefully singled out specific systems in the financial companies’ servers to steal from so many personal credit and debit card accounts.

The attackers had a sophisticated division of labor, according to the indictment. One hosted an anonymous Web server. Others broke into the targeted sites. Still another went inside and fetched the items of interest. The tactic is a signature of Russian organized crime syndicates.

“It is a really potent reminder of what researchers have been saying: The bigger threat is coming from criminal gangs, most of which are coming from Russia,” said Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington. “It’s far more immediately impactful than threats coming from China.”

The defendants were identified as Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov and Dmitriy Smilianets of Russia and Mikhail Rytikov of Ukraine. Mr. Smilianets and Mr. Drinkman were arrested in the Netherlands last year. Mr. Smilianets has already been extradited to the United States, where he is expected to make his first court appearance next week. The other three are at large.

The defendants would use so-called SQL injections, which send a command or piece of code to a computer allowing unauthorized users to manipulate contents of the computer system. Once they gained access to credit card numbers, some of the men would sell them to resellers.

“They were very patient and relentless,” Mr. Fishman said at a news conference on Thursday.

When the men’s attack on the supermarket chain Hannaford was noticed, a Florida man who worked with the defendants wrote in an instant message to Mr. Kalinin that “Hannaford will spend millions to upgrade their security!! lol,” according to the indictment.

Mr. Kalinin reportedly wrote back, “They would better pay us to not hack them again.”

The defendants were generally able to sell American credit card numbers for $10 and European numbers for $50 because of the poorer security safeguards on American cards, Mr. Fishman said.

Mr. Fishman said Heartland Payment Systems had suffered the biggest losses identified so far, about $200 million. Heartland said in a statement that its breach ended in 2008 and that it would “continue supporting” law enforcement organizations.

In the indictment unsealed in Manhattan, Mr. Kalinin and another Russian, Nikolay Nasenkov, who is also at large, are accused of conducting a scheme to steal bank account information and use it to withdraw millions of dollars from the victims’ bank accounts. From December 2005 through November 2008, the two men hacked into computer systems and stole information from banks including Citibank and PNC Bank, according to the indictment.

The cases are likely to buttress the arguments of those pushing for federal laws to promote greater sharing of information between private companies and law enforcement agencies. Legislation has been proposed — and defeated — largely on the grounds that it would empower federal law enforcement authorities to snoop on private communications.

Correction: July 31, 2013An article on Friday about the federal indictments of foreign hackers who stole and sold 160 million credit card numbers described their hacking method, an SQL injection, incorrectly. The maneuver involves sending a command or piece of code to a computer that allows unauthorized users to manipulate its contents; it is not software.

Correction: August 2, 2013An article last Friday about the federal indictments of foreign hackers who stole and sold 160 million credit card numbers described their hacking method incorrectly, and a correction in this space on Wednesday rendered incorrectly the term for the method. It is known as SQL injection, not SLQ.

A version of this article appears in print on 07/26/2013, on page B7 of the NewYork edition with the headline: U.S. Says Ring Stole 160 Million Credit Card Numbers.